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Abstract 

We  use  input/ output  automata  to  define  a  simple  and  general  model  of  networks  of  concur¬ 
rently  executing,  nondeterministic  processes  that  communicate  through  unidirectional,  named 
pirts.  A  notion  of  the  input/output  relation  computed  by  a  process  is  defined,  and  determinate 
processes  are  defined  to  be  processes  whose  input/output  relations  are  single- valued.  We  show 
that  determinate  processes  compute  continuous  functions,  and  that  networks  of  determinate 
processes  obey  Kahn’s  fixed-point  principle.  Although  these  results  are  already  known,  our  con¬ 
tribution  lies  in  the  fact  that  the  input/output  automata  model  yields  extremely  simple  proofs 
of  them  (the  simplest  we  have  seen),  in  spite  of  its  generality. 


1  Introduction 


In  (5],  Kahn  describes  a  simple  parallel  programming  language  based  on  the  concept  of  a  network 
of  concurrently  executing  sequential  processes  that  can  communicate  by  sending  values  over  “chan¬ 
nels.”  The  communication  primitives  available  to  processes  are  sufficiently  restrictive  that  only 
functional  processes  can  be  programmed.  That  is,  each  process  may  be  viewed  as  computing  a 
function  from  the  complete  history  of  values  received  on  its  input  channels,  to  the  complete  history 
of  values  emitted  on  its  output  channels.  Kahn  argues  that  such  processes  in  fact  compute  functions 
that  are  continuous  with  respect  to  a  suitable  complete  partial  order  (cpo)  structure  on  the  sets 
of  input,  and  output  histories.  Moreover,  a  network  of  such  processes  also  computes  a  continuous 
function,  which  can  be  characterized  as  the  least  fixed-point  of  a  continuous  functional  associated 
with  the  network.  The  advantage  of  this  least  fixed-point  characterization  is  that  it  permits  the 
use  of  Scott’s  induction  rule  to  prove  properties  of  process  networks. 

Kahn’s  original  conception  of  a  process  network  has  subsequently  been  elaborated  to  serve  as 
a  basis  for  “dataflow”  models  of  computation.  In  the  dataflow  literature,  a  network  of  processes 
is  typically  represented  by  a  “dataflow  graph,”  which  is  a  directed  graph  whose  nodes  correspond 
to  processes,  and  whose  arcs  correspond  to  unidirectional  FIFO  communication  channels  between 
processes.  The  program  for  a  process  designates  particular  channels  to  be  used  for  input  or  output 
through  the  use  of  “ports,”  which  are  names  assigned  by  a  process  to  each  channel  attached  to  that 
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process.  In  contrast  to  Kahn’s  original  model,  both  functional  and  nonfunctional  processes  are  of 
interest  in  dataflow  computation.  Although  it  is  straightforward  to  give  an  operational  semantics 
for  such  networks  by  describing  the  flow  of  data  values  through  them,  it  is  unfortunately  the  case 
that  Kahn’s  denotational  semantics  for  networks  of  functioned  processes  is  not  known  to  have  an 
equally  elegant  generalization  to  networks  of  processes  with  non-functional  behaviors.  Brock  and 
Ackerman  [l]  have  shown  that  naive  generalizations,  in  which  relations,  rather  than  functions,  are 
used  to  represent  the  input/output  behavior  of  processes,  fail  to  be  consistent  with  the  intuitive 
operational  model  of  network  execution.  An  extensive  literature  has  arisen  from  attempts  to  resolve 
the  so-called  “Brock-Ackerman  anomaly.”  Although  we  cannot  adequately  review  this  literature 
here,  the  reader  may  refer  to  the  recent  papers  [4,6,9]  for  references  to  earlier  work. 

Kahn  did  not  give  a  proof  of  the  consistency  of  his  fixed-point  principle  with  respect  to  an 
operational  semantics.  However,  Kahn’s  principle  is  similar  to  results  that  had  already  been  proved 
[2]  for  recursive  program  schemes,  and  thus  was  generally  accepted  without  an  explicit  proof.  In  the 
search  for  extensions  to  the  non-functional  case,  though,  consistency  proofs  are  essential,  since  it 
is  fairly  easy  to  define  denotational  “semantics”  which,  although  seemingly  plausible,  do  not  agree 
with  an  intuitively  correct  operational  semantics.  Recently,  some  attention  has  been  paid  to  the 
problem  of  establishing  the  Kahn  principle  as  a  theorem  about  an  operational  model.  Faustini  [3] 
defines  a  reasonably  general  model  of  networks  of  nondeterministic  processes.  Using  some  game- 
theoretic  ideas,  Faustini  defines  a  subclass  of  networks  of  functional  processes,  and  shows  that 
such  networks  obey  the  Kahn  principle.  Stark  [9]  defines  a  class  of  nondeterministic  processes, 
through  axioms  that  constrain  the  structure  of  processes  viewed  as  a  kind  of  generalized  transition 
system.  “Kahn  processes”  are  defined  to  be  processes  whose  underlying  transition  systems  obey  an 
additional  Church-Rosser-like  property.  Stark  shows  that  the  Kahn  principle  can  be  derived  from 
the  axioms.  Gaifman  and  Pratt  [4],  and  Rabinovich  [8]  show  that  the  Kahn  principle  holds  for  the 
“pomset”  model. 

Although  the  technical  complexities  of  the  three  papers  [4,8,9]  make  anything  other  than  qual¬ 
itative  comparisons  difficult,  all  seem  to  be  talking  about  essentially  similar  sets  of  ideas.  Each  of 
the  proofs  involves  the  use  of  the  properties: 

1.  A  process  is  capable  of  accepting  any  input  at  any  time. 

2.  Production  of  output  by  a  process  depends  only  on  previously  received  input,  and  not  on 
input  received  later  than  or  simultaneously  with  the  output. 

3.  If  the  input  history  of  a  process  in  one  computation  is  consistent  with  its  input  history  in 
another  computation,  then  the  output  histories  in  the  two  computations  are  also  consistent. 

These  three  properties  are  used  in  an  inductive  argument  to  show  that  a  network  must  produce 
output  less  than  or  equal  to  the  output  specified  by  the  Kahn  principle.  The  additional  property: 

4.  A  process  can  always  make  progress  toward  a  complete  computation,  regardless  of  the  input 
received. 

is  used  to  establish  that  a  network  must  produce  at  least  as  much  output  as  that  specified  by  the 
Kahn  principle. 

In  this  paper,  we  prove  the  consistency  of  the  Kahn  principle  with  respect  to  an  operational 
model  based  on  the  “input/output  automata”  of  Lynch  and  Tuttle  [7].  Our  proof  shares  with 
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others  the  four  central  ideas  listed  above,  but  has  the  advantage  of  being  extremely  simple  (the 
simplest  we  have  yet  seen).  In  part,  this  simplicity  is  attained  because  we  are  able  to  make  use  of 
two  powerful  general  theorems  (Lemma  1  and  Proposition  2)  about  input/output  automata.  Our 
model  is  more  general  than  Faustini’s  [3],  since  we  do  not  make  any  concrete  assumption  about  the 
structure  of  “channel  buffers.”  Faustini  postulates  channel  buffers  whose  states  are  sequences  of 
messages  in  transit.  In  contrast,  we  think  of  each  process  as  containing,  as  components  of  its  state, 
the  buffers  for  the  channels  from  which  it  takes  its  input.  We  also  do  not  require  lor  our  definitions 
and  proofs  the  game  theory  used  by  Faustini.  Our  work  can  be  seen  as  complementary  in  a  sense 
to  that  of  Stark  [9j.  Whereas  the  latter  work  can  be  viewed  as  a  search  for  as  weak  a  condition  as 
possible  on  nondeterministic  processes,  from  which  the  Kahn  principle  can  be  proved,  our  results 
show  that  the  simple  restriction  to  “determinate”  processes  (those  with  single-val  led  input/output 
relations)  is  already  an  extremely  strong  constraint,  from  which  the  Kahn  principle  follows  almost 
automatically. 

Even  though  the  truth  of  the  Kahn  principle  is  not  really  in  doubt,  we  believe  it  is  important 
to  search  for  semantic  models  in  which  the  principle  can  be  proved  as  simply  and  generally  as 
possible.  Since  this  principle  is  perhaps  the  simplest  and  most  elegant  result  we  hive  to  date  in  the 
theory  nf  concurrency,  it  seems  reasonable  to  expect  that  any  purportedly  useful  semantic  model 
should  admit  a  simple  proof  of  it.  The  ultimate  goals  of  the  search  would  be  the  identification  of  a 
minimal  set  of  properties  that  a  model  of  nondeterministic  process  networks  must  have  if  the  Kahn 
principle  is  to  hold,  and  a  determination  of  the  extent  to  which  the  theory  of  functional  processes 
.  n  be  usefully  generalized. 

2  Input/Output  Automata 

An  action  signature  is  a  triple  A  =  (Ain,  Aout,  Aint),  where  the  sets  Ain,  Aout,  and  Amt  are  pairwise 
disjoint.  The  elements  of  A,n  are  called  input  actions,  those  of  Aout  are  called  output  actions,  and 
those  of  A'nt,  internal  actions.  We  use  the  same  symbol  A  to  denote  both  an  action  signature  and 
the  set  Am  U  Aout  U  Aint  of  all  its  actions. 

An  input/output  automaton  is  a  tuple  M  =  (A,Q,Q°,T,~),  where 

•  A  is  an  action  signature. 

•  Q  is  a  set  of  states. 

•  Q°  £  Q  is  a  distinguished  set  of  start  states. 

•  T  C  Q  x  A  x  Q  is  a  set  of  transitions,  with  the  property  that  for  all  q  e  Q  and  all  input 
actions  a,  there  exists  a  transition  ( q,a,r )  in  T. 

•  ~  is  an  equivalence  relation  on  the  set  (AoutUAint)  of  non-input  actions,  such  that  the  number 
of  equivalence  classes  of  ~  is  at  most  countable. 

If  ( q,a .  r)  e  T,  and  T  is  clear  from  the  context,  then  we  write  q-^-rr.  An  action  a  is  said  to  be 
enabled  in  state  q  if  there  exists  a  state  r  such  that  q-^-*r.  The  definition  of  an  input/output 
automaton  requires  that  all  input  actions  be  enabled  in  every  state. 

A  comment  is  in  order  concerning  the  equivalence  relation  ~.  We  use  input/output  automata 
not  just  to  model  single  processes,  but  also  systems  of  concurrently  executing  processes.  When  we 


model  a  system  of  processes,  we  are  interested  only  in  “fair”  computations,  that  is,  in  computations 
in  which  no  process  that  desires  to  execute  is  forever  prevented  from  doing  so.  To  impose  the 
requirement  of  fairness,  we  need  a  certain  amount  of  information  about  the  correspondence  between 
actions  and  processes.  The  equivalence  relation  ~  provides  this  information,  in  the  Bense  that  we 
think  of  each  equivalence  class  of  ~  as  the  set  of  actions  of  a  single  proce&  that  should  receive  fair 
treatment. 

An  execution  fragment  of  an  input/output  automaton  is  either  a  finite  sequence  of  the  form 
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or  an  infinite  sequence  of  the  form 
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where  for  each  A:  >  0,  we  require  that  qkr^+qk+i  €  T.  An  execution  is  an  execution  fragment  whose 
first  state  90  is  a  start  state. 

A  finite  execution  fragment 


OO.  01  “n-1 
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is  fair  if  no  non-input  actions  are  enabled  in  state  qn.  An  infinite  execution  fragment 
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is  fair  if,  for  every  ~-equivalence  class  C  of  actions,  either  there  exist  infinitely  many  k  >  0  with 
ojt  e  C,  or  else  there  exist  infinitely  many  k  >  0  for  which  no  action  in  C  is  enabled  in  state  9*. 

If  t/  is  any  set,  then  let  U°°  denote  the  set  of  all  finite  and  infinite  sequences  of  elements  of  U. 
If  A  is  an  action  signature,  then  we  call  A 00  the  set  of  action  sequences  for  A.  If  a  is  an  action 
sequence,  and  U  is  a  set,  then  the  restriction  of  a  to  U  is  the  subsequence  o\U  of  a  consisting  only  of 
those  actions  that  are  in  U .  If  Af  is  an  input/output  automaton,  then  the  schedule  of  an  execution 
fragment  of  Af  is  the  sequence  of  actions  appearing  in  that  fragment.  The  set  finscheds(Af)  of  finite 
schedules  of  Af  is  the  set  of  all  schedules  of  finite  executions  of  Af .  The  set  fairscheds(Af)  of  fair 
schedules  of  Af  is  the  set  of  all  schedules  of  fair  executions  of  Af . 


Lemma  1  Let  M  be  an  input/output  automaton,  and  suppose  a  6  finscheds(Af).  Then  given 
any  action  sequence  p  consisting  only  of  input  actions,  there  exists  a  sequence  r  such  that  err  £ 
fairscheds(Af),  and  such  that  r|Ain  =  p. 


Proof  -  We  first  claim  that  given  any  state  9  6  Q,  and  sequence  p  consisting  only  of  input 
actions,  there  exists  a  fair  execution  fragment,  starting  from  state  9  and  having  schedule  r,  such 
that  r|Ain  =  p.  This  fair  execution  fragment  can  be  obtained  by  a  dovetailing  construction  in  which 
actions  in  p  are  interleaved  with  actions  from  the  various  equivalence  classes  of  ~.  The  condition 
that  every  input  action  is  enabled  in  every  state  of  an  input/output  automaton  ensures  that  actions 
in  p  can  be  executed  whenever  required.  The  condition  that  the  set  of  equivalence  classes  of  ~  is 
at  most  countable  ensures  that  the  dovetailing  can  be  carried  out  in  such  a  way  that  the  resulting 
execution  fragment  is  fair. 

It  is  now  easy  to  prove  our  result.  Given  a  €  finscheds(Af),  obtain  a  finite  execution 
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with  schedule  a.  Given  a  sequence  p  consisting  only  of  input  actions,  apply  the  claim  of  the  previous 
paragraph  to  obtain  a  fair  execution  fragment,  starting  from  state  qn  and  having  schedule  r,  such 
that  t\j  iin  =  p.  Concatenating  the  finite  execution  with  schedule  a  with  the  fair  execution  fragment 
with  schedule  r  yields  a  fair  execution  with  schedule  or,  thus  showing  or  e  fairscheds(M).  | 

Suppose  I  is  a  finite  or  countably  infinite  index  set.  A  collection  A  =  {A,  :  i  £  /}  of  action 
signatures  is  called  compatible  if  for  all  i,  j  E  /  with  i  ^  j  we  have  A°ut  n  Ay ut  =  0  and  AjntnAy  =  0. 
If  A  is  compatible,  then  the  composition  of  A  is  the  action  signature  Y[A  =  (Ain,  Aout,  Aint),  where 
Aou‘  =  Jiei  A°ut,  Ain  =  (U,e7  A|n)  \  Aout,  and  Ain*  =  U,e/  A|nt. 

A  collection  M  =  {M,  :  i  E  1}  of  input/output  automata,  where  M,-  has  signs  ture  A,-,  is  called 
compatible  if  the  collection  A  =  {A,'  :i  E  1}  of  action  signatures  is  compatible.  If  >1  is  compatible, 
then  th?  composition  of  M  is  the  quintuple  n  M  =  where 

•  A  =  n  A. 

•  q  —  n«6/Q<- 

•  q°  =  n.e/<?°. 

•  T  is  the  set  of  all  ((g<  :  «  €  /),  a,  (r,  :  i  E  /))  such  that  for  all  «  E  /,  if  a  E  A,',  then 
(c< ,  a,  r.)  E  T{,  and  if  a  ^  A,-,  then  =  g,. 

•  ~  =  U,67  ~i- 

It  is  ear.y  to  see  that  the  compatibility  condition  ensures  that  n  -M  «  “  input/output  automaton. 

The  following  result  characterizes  the  set  of  finite  or  fair  schedules  of  n  M  in  terms  of  the  sets 
of  finite  or  fair  ->chedules  of  the  Af,-.  A  proof  can  be  found  in  [7]. 

Proposition  2  Suppose  X  =  {M,-  :  i  E  1}  is  a  compatible  collection  of  input/output  automata. 
For  each  i  E  I,  let  A,-  be  the  action  signature  of  Mi.  Then 

1.  Suppose  a  is  a  finite  sequence  of  actions  from  fKA-  :*€/}.  Then  o  E  finscheds(n -M)  iff 
<r\Ai  E  finscheds(Afi)  for  all  i  E  I. 

2.  a  E  fairscheds(n  .M)  iff  c|A,  E  fairscheds(M<)  for  all  i  E  I. 

3  Port  Automata 

Let  V  be  a  set  of  data  values.  A  port  signature  is  an  action  signature  A,  whose  sets  of  input  and 
output  actions  have  the  particular  form  A'n  =  P'n  x  V  and  Aout  =  P°ut  x  V,  with  P'n  and  P°ut 
disjoint  and  at  most  countable.  The  elements  of  Pm  and  P°ut  are  called  input  ports  and  output 
ports,  r  jspectively.  If  o  =  (p,  v)  E  Am  U  Aout,  then  we  write  port(a)  for  the  port  component  p,  and 
value(a)  for  the  value  component  v,  of  a.  A  port  automaton  is  an  input/output  automaton  whose 
action  signature  is  a  port  signature. 

Suppose  A  =  {A,  :  i  E  1}  is  a  compatible  collection  of  port  signatures.  Then  the  composition 
FM  is  also  a  port  signature,  with  output  port  set  P°ut  =  U«e/  ^Put  and  input  port  set  Pm  = 
(Uig/l°in)  \  P°ut.  It  follows  that  the  composition  of  a  compatible  collection  of  port  automata  is 
also  a  r  ort  automaton. 


The  composition  of  a  compatible  collection  of  port  automata  models  a  network  of  communicat¬ 
ing,  concurrently  executing,  component  processes.  Communication  between  components  in  such  a 
network  occurs  when  an  output  transition  of  one  component,  with  a  particular  port  and  data  value, 
occurs  simultaneously  with  input  transitions,  with  the  same  port  and  data  value,  for  a  number  of 
other  components.  We  allow  arbitrary  “fanout”  in  the  sense  that  a  single  action  may  be  shared  by 
more  than  two  components,  as  long  as  it  is  an  output  action  for  at  most  one  of  them.  This  is  a  bit 
more  general  than  the  usual  definition  of  “linking”  in  the  dataflow  literature,  in  which  each  port  of 
a  process  may  be  connected  with  at  most  one  port  of  another  process.  We  do  not  have  any  formal 
notion  of  “input  buffers”  or  “channel  processes.”  Rather,  we  think  of  a  buffer  for  each  input  port 
of  a  process  as  already  incorporated  into  the  state  of  that  process. 

If  P  is  a  set  of  ports,  then  a  history  over  P  is  a  function  H  :  P  —*  V°°.  Let  Hist(P)  denote 
the  set  of  all  histories  over  P.  If  A  is  a  port  signature,  then  each  sequence  o  in  A°°  determines  a 
corresponding  history  Ha  G  Hist(P,n  U  P°ut),  defined  by 

H„(p )  =  value(«rj{o  G  Am  U  Aout  :  port(a)  =  p}), 

where  we  have  extended  the  ‘value’  notation  to  sequences  a  —  ajaj  . . .  €  (AinU  Aout)°°,  by  defining 

value(<r)  =  value(ai) valued) _  The  restrictions  HJ1  =  Ha\Pm  and  H°ut  =  Ha | P°ut  to  the 

sets  of  input  and  output  ports,  respectively,  are  called  the  input  history  and  output  history  of  a. 
The  input/output  relation  of  a  port  automaton  M  is  the  set  Reln(M)  of  all  pairs  (H'J1,  HJut)  with 
a  G  fairscheds(M). 

It  is  important  for  our  purposes  that  the  sets  A00  and  V00,  and  the  set  Hist(P)  of  all  histories  H  : 
P  — ►  V°°,  form  algebraic,  directed- complete  posets1  when  equipped  with  suitable  partial  orderings. 
The  ordering  of  interest  on  A°°  and  V°°  is  the  prefix  ordering,  and  on  Hist(P)  it  is  the  ordering 
C  obtained  componentwise  from  the  prefix  ordering  on  V°°.  The  finite  elements  of  A°°  and  V°° 
are  the  finite  sequences,  and  the  finite  elements  of  Hist(P)  are  exactly  those  functions  from  P  to 
V*  that  map  all  but  a  finite  subset  of  P  to  the  empty  sequence.  Moreover,  the  map  that  takes 
a  sequence  a  G  A°°  to  the  corresponding  history  H0  is  continuous,  and  maps  finite  sequences  to 
finite  histories.  Finally,  note  that  the  assumption  that  P  is  at  most  countable  ensures  that  every 
history  H  G  Hist(P)  is  Ha  for  some  sequence  cr  G  A°°. 

4  Determinacy 

A  port  automaton  M  is  determinate  if  its  input/output  relation  Reln(M)  is  single- valued,  hence  is 
the  graph  of  a  function 

Fun(M)  :  Hist(Pin)  ->  Hist(Pout). 

Lemma  3  Suppose  M  is  determinate.  Suppose  a  G  finscheds(M)  and  r  G  fairscheds(M)  are  such 
that  Hjn  C  HJ'.  Then  HJut  C  H°ut. 

1 A  lubaet  U  of  a  partially  ordered  get  (poset)  (Z?,C)  is  directed  if  it  ig  nonempty  and  every  pair  of  elements  of  U 
haa  an  upper  bound  in  U .  The  poset  (D,C)  is  directed- complete  if  it  has  a  least  element,  and  every  directed  subset 
U  of  D  has  a  supremum  |_J  U  €  D.  A  function  between  directed-complete  posets  is  called  continuous  if  it  preserves 
suprema.  If  (D,C.)  is  directed-complete,  then  an  element  e  G  D  is  called  finite  (also  isolated,  or  compact)  if  whenever 
(J  C  D  is  directed,  and  e  C  JJ  U,  then  e  C  d  for  some  d  £  U.  It  is  algebraic  if  every  element  d  G  D  is  the  supremum 
of  the  set  of  all  finite  *6  D  with  «  C  d. 


Proof  -  By  Lemma  1,  a  extends  to  a  schedule  p  in  fairscheds(M),  such  that  H'J'  =  J/}n.  By 
determinacy,  we  must  have  H°ut  =  H°ut.  Since  H°ut  C  H°ut  by  construction,  it  follows  that 

ffOUt  Q  ROUt  | 

Lemma  4  Suppose  M  is  determinate,  with  Fun(M)  =  /.  Then  H°ut  C  fiH'J1)  for  all  a  G 
finscheds(M). 

Proof  -  Given  o  G  finscheds(M),  we  may  use  Lemma  1  to  extend  a  to  r  G  fairscheds(M),  with 
H\n  =  H™.  Then  H°ut  O  H°ut  by  Lemma  3,  and  H°ut  =  f{H'rn)  by  the  fact  that  r  G  fairscheds(M). 
Since  P‘n  =  Hf,  f(H\ «")  =  Thus,  H °ut  E  | 

Theorem  1  If  M  is  determinate,  then  Fun(AL)  is  continuous. 

Proof  -  We  first  show  monotonicity.  Suppose  a,r  G  fairscheds(M),  with  C  Hlrn.  Then 
H™  C  Hlrn  holds  for  all  finite  prefixes  p  of  <r,  so  by  Lemma  3,  H°ut  C  H°ut  holds  for  all  finite 
prefixes  p  of  a.  It  follows  that  H°ut  C  H°ut. 

Next,  we  show  continuity.  Suppose  S  C  fairscheds(Af),  such  that  the  collection  {H™  :  a  G  E} 
is  directed,  with  supremum  Hm.  By  Lemma  1  and  the  fact  that  Hm  is  the  history  of  some  sequence 
consisting  only  of  input  actions,  we  know  there  exists  a  schedule  r  G  fairscheds(Af)  with  H™  =  Hin. 

'hen  by  monotonicifcy,  H°ut  C  H°ut  for  all  a  G  S.  This  implies  that  the  collection  {H„ut :  a  G  2} 
i  'irected,  hence  has  a  supremum  //out  C  H°ut.  We  claim  that  H°ut  C  Hout.  By  the  continuity 
of  the  map  that  takes  each  action  sequence  to  the  corresponding  history,  it  suffices  to  show  that 
ffout  tfout  for  ajj  finite  prefixes  p  of  r.  But  if  p  is  a  finite  prefix  of  r,  then  H™  C  Hin,  hence 
H'pn  C  Hlan  for  some  a  G  E  by  the  finiteness  of  H™.  Thus  H°ui  C  H°ut  by  Lemma  3,  and  therefore 

tfout  □  Hout  ( 

5  The  Kahn  Principle 

Let  A  --  {A,  :  i  G  /}  be  a  compatible  collection  of  port  signatures.  Let  P  denote  the  set  of  ports  of 
n  A |  and  for  each  »  G  I,  let  P,  denote  the  set  of  ports  of  A,-.  Suppose  7  =  {/,  :»  G  /}  is  a  collection 
of  continuous  functions,  where  for  each  »  G  I, 

fi  :  Hist(P?n)  -»  Hist(P°ut). 

The  network  equations  associated  with  7  are  the  equations  (in  the  unknown  history  H  G  Hist(P)): 

H\pr*  =  Mmpn  (.G/). 

The  network  functional  associated  with  7  is  the  function 

$>  :  [Hist(Pin)  Hist(P)]  [Hist(Pin)  -  Hist(P)] 
that  takes  each  continuous  function 


/  :  Hist(Pin)  —  Hist(P) 


t  .*  y  .* 


it,*  m  14W.1  >.i  .a: 


to  the  function 


defined  by 


$(/)  :  Hist(Pin)  -  Hist(P) 


S(/)(iPn)|Pin  =  Pin,  *(f)(Hia)\P?'*  =  /^/(P1")^"). 


The  compatibility  condition  on  A  ensures  that  $  is  well-defined,  and  it  is  straightforward  to  verify 
that  $(/)  is  continuous  whenever  /  is  continuous. 

The  following  result  can  be  proved  by  standard  techniques  in  the  theory  of  cpo’s  (see,  e.g.  [5], 
Section  3). 

Proposition  5  Suppose  port  signatures  A  and  functions  7  are  as  above.  Then  the  network  func¬ 
tional  $  associated  with  7  is  continuous,  hence  has  a  least  fixed  point  Moreover,  /i$  takes  each 
history  Hin  €  Hist(Pm)  to  the  least  history  H  €  Hist(P)  such  that  H\Pm  =  Hin,  and  such  that  H 
satisfies  the  network  equations  associated  with  7 . 

Theorem  2  (Kahn  Principle)  Suppose  M  =  {M,  :  *  €  1}  is  a  compatible  collection  of  determi¬ 
nate  port  automata,  let  7  =  {Fun(Afj)  : »  €  /},  and  let  $  be  the  network  functional  associated  with 
7 .  Then  f]  .M  **  determinate,  and  Fun(fl  M)  satisfies 


FunflJ  *)(#*")  =  /i$(Pin)|P°ut 


for  all  Hin  e  Hist(Pin). 


Proof  —  Let  /,•  —  Fun  (A/,)  for  each  i  €  I.  By  Proposition  5,  it  suffices  to  show  that  for  each 
schedule  a  €  fairscheds(n  -M),  the  history  Ha  is  the  least  history  H  e  Hist(P)  such  that  P|Pin  = 
H™,  and  such  that  H  satisfies  the  network  equations  associated  with  7. 

Suppose  a  €  fairscheds(n  -M).  Since  <r\Ai  €  fairscheds(Af,)  by  Proposition  2,  it  follows  that  for 
each  i  £  I,  =  Ha\A out  =  /»(#<,  |x*.»)  =  fi[Ha\P\n).  Thus,  the  network  equations  are  satisfied 

by  Ha. 

It  remains  to  be  shown  that  if  H  is  any  history  with  Hm  =  H™  such  that  H  satisfies  the  network 
equations,  then  Ha  C  H.  It  suffices  to  show  that  Hp  E  H  for  all  finite  prefixes  p  of  o.  We  proceed 
by  induction  on  the  length  \p\  of  p.  The  basis,  \p\  =  0,  is  immediate.  For  the  induction  step,  let 
p  =  p'a  where  a  £  A  and  Hp>  E  H .  There  are  three  cases: 

(Case  a  €  Aint)  Then  Hp  =  Hp,  C  H. 

(Case  a  e  Ain)  Since  H™  =  Hin,  we  have  H'pn  E  Hin.  Then  Ht>  C  H  and  H™  C  Hin  together 
imply  HpQ  H. 

(Case  a  €  Aout)  Then  a  6  A°ut  for  some  *  G  I,  so  that  Hp\P\n  =  Hp>\P}n.  By  Proposition 
2  and  Lemma  4  we  know  that  Hf\P?ut  C=  fi(Hp\Pjn)  =  /t(Pp.|fjn).  But  Hp,\P}n  C  H\Pjn,  hence 
fi{Hp'\P-n)  E  fi(H\P-n)  =  P|FJ>ut  by  the  monotonicity  of  /<  and  the  assumption  that  H  satisfies 
the  network  equations.  Thus,  Hp\F?ut  C  H\P?ut.  This  fact,  together  with  H„>  C  H,  implies 
HPCH.  | 


y  >Vvyv, 


m 


6  Conclusion 


We  have  used  input/output  automata  to  define  a  rather  general  model  of  networks  of  nondetermin- 
istic  processes.  A  notion  of  the  input/output  relation  computed  by  a  process  has  been  defined,  and 
used  to  define  the  class  of  determinate  (or  functional)  processes.  We  have  shown  that  determinacy 
is  a  very  strong  property,  from  which  it  follows  almost  immediately  that  the  functions  computed  by 
determinate  processes  are  continuous,  and  that  networks  of  determinate  processes  obey  the  Kahn 
principle. 
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